Is claude-code-wingman safe?
https://clawhub.ai/yossiovadia/claude-code-wingman
This skill is a tmux-based orchestration system that spawns Claude Code sessions with automatic permission approval, effectively creating a remote code execution pipeline controlled via WhatsApp. The auto-approver completely bypasses Claude Code's permission model, the SKILL.md uses prompt injection techniques to make the agent immediately execute shell commands based on message patterns, and the master monitor forwards session content (including executed commands) via WhatsApp webhooks. While the skill appears to be a legitimate productivity tool for managing multiple coding sessions, its architecture creates severe security risks: any compromise of the WhatsApp channel, webhook endpoint, or message routing could lead to arbitrary code execution on the user's machine.
Category Scores
Findings (12)
CRITICAL SKILL.md instructs agent to execute shell commands on pattern match -40 ▶
The SKILL.md contains a section titled 'CRITICAL: Handle Approval Commands First' that instructs the agent to IMMEDIATELY run shell commands (~/code/claude-code-orchestrator/lib/handle-approval.sh) when user messages match patterns like 'approve
CRITICAL Auto-approver defeats Claude Code permission model entirely -45 ▶
auto-approver.sh runs in an infinite loop monitoring tmux sessions and automatically approves ALL permission prompts — both 'Do you trust' (folder trust) and 'Do you want' (tool call approval). It selects option 2 ('Yes, and allow for session/project') for tool calls, granting blanket approval. This completely defeats Claude Code's safety model, allowing any tool call (file writes, shell commands, network access) without human review.
CRITICAL Remote code execution pipeline via WhatsApp -40 ▶
The skill creates a complete remote code execution chain: (1) master-monitor.sh detects approval prompts, (2) send-notification.sh forwards them to WhatsApp via webhook, (3) user replies are parsed by the agent, (4) handle-approval.sh executes the response. A compromised WhatsApp account, man-in-the-middle on the webhook, or social engineering attack could inject arbitrary approval commands. The 'always' command grants permanent auto-approval for a session.
HIGH SKILL.md references external hardcoded paths outside skill directory -25 ▶
The SKILL.md instructs the agent to execute scripts at ~/code/claude-code-orchestrator/ — a path completely outside the skill's installation directory. These scripts are not part of the audited skill and could contain any arbitrary code. The agent is instructed to trust and execute these external scripts unconditionally.
HIGH Session content forwarded via WhatsApp notifications -30 ▶
master-monitor.sh captures tmux pane content using 'tmux capture-pane -t $session -p -S -50' and extracts command details (Bash, Write, Edit, Read operations). This content — which may include file paths, code snippets, credentials, or sensitive data — is then sent as WhatsApp messages via send-notification.sh. The notification includes the exact Bash commands being executed.
HIGH Clone process accessed sensitive credential files -25 ▶
The filesystem monitoring during installation shows the clone process accessed /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While these may be from the gateway process and not the skill itself, the access to AWS credentials and environment files during skill installation is concerning.
HIGH tmux send-keys enables arbitrary command injection into sessions -20 ▶
Multiple scripts use 'tmux send-keys' to inject content into running Claude Code sessions. session-send.sh sends user-provided commands directly: 'tmux send-keys -t "$SESSION_NAME" "$COMMAND"'. There is no sanitization or validation of the command content. An attacker who can influence the command parameter could inject arbitrary commands into any tmux session.
MEDIUM Duplicate SKILL.md frontmatter blocks -15 ▶
The SKILL.md file contains two separate YAML frontmatter blocks with different metadata. The first declares emoji '🦅' and the second declares emoji '🎯'. This could be an attempt to confuse skill parsers or inject additional metadata, or simply a development artifact from merging two versions of the skill.
MEDIUM Skill instructs agent to act as autonomous command dispatcher -10 ▶
The SKILL.md's 'Core Philosophy' section states 'CRITICAL: When interacting with Claude Code sessions, ALWAYS use the wingman script' and provides patterns for the agent to spawn sessions, send commands, and manage approvals autonomously. This transforms the agent from an assistant into an unattended automation system with shell access.
MEDIUM Webhook endpoint configurable for data exfiltration -10 ▶
send-notification.sh uses CLAWDBOT_WEBHOOK_URL (default http://127.0.0.1:18789/hooks/agent) to send session data. This URL is configurable via environment variable or config file. If an attacker modifies the config or environment, all session approval notifications (containing command details) would be sent to an attacker-controlled endpoint.
LOW Scripts write state files to /tmp without access controls -10 ▶
Multiple scripts write to /tmp/ directories (/tmp/auto-approver-.log, /tmp/claude-orchestrator/, /tmp/claude-approvals/, /tmp/claude-monitor-.alert) without setting restrictive permissions. Other users or processes on the system could read these files (containing session details) or write to response files to influence approval behavior.
INFO Clone created temp files in /tmp/jiti and /tmp/openclaw-1000 -5 ▶
During installation, files were created in /tmp/jiti/ (CJS module cache files) and /tmp/openclaw-1000/ (gateway lock file). These appear to be from the Clawdbot gateway process rather than the skill itself, but indicate the installation environment shares resources with other system processes.